CVE-2026-27854
Published: 31 March 2026
Summary
CVE-2026-27854 is a medium-severity Use After Free (CWE-416) vulnerability in Powerdns Dnsdist. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in DNSdist by applying vendor patches from the PowerDNS security advisory.
Provides memory protection mechanisms that prevent unauthorized access to freed memory, mitigating use-after-free exploitation in DNSdist's Lua processing.
Limits DNSdist to least functionality by disabling or restricting non-essential custom Lua scripting that invokes the vulnerable DNSQuestion:getEDNSOptions method.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing DNSdist enables remote exploitation via crafted DNS queries for DoS (crash) via memory corruption; directly maps to T1190 (public-facing app) and T1499.004 (app exploitation for DoS).
NVD Description
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has…
more
been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
Deeper analysisAI
CVE-2026-27854 is a use-after-free vulnerability (CWE-416) affecting DNSdist, a DNS load balancer. The issue arises when custom Lua code invokes the DNSQuestion:getEDNSOptions method on a DNS packet that has been modified after initial processing. An attacker can trigger this by sending crafted DNS queries, leading to a reference to freed memory.
A remote, unauthenticated attacker can exploit this vulnerability over the network with no user interaction required, though it demands high attack complexity (CVSS:3.1 score of 4.8; AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L). Exploitation may result in a process crash, causing a denial of service, with potential low-impact confidentiality exposure due to the memory corruption.
Mitigation details are available in the PowerDNS security advisory for dnsdist at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html.
Details
- CWE(s)